Description

For any valid OAuth client Applications in Xenforo, when requesting the authorization endpoint /oauth2/authorize. Attacker can submit any scope parameter. Xenforo does not check whether the scope is allowed for access by this OAuth client. After authorization, the obtained Access token has corresponding API permissions. “Allowed scopes” in the OAuth2 client options do not restrict the client's permissions. This vulnerability affects 2.3.0 <= Xenforo < 2.3.5

Mitigation and Fix

Add permission check code to the XFCP_OAuth2 section.
For temporary fixes, a plugin can be written to extend the existing XFCP_OAuth2 with additional check code.

$clientId = $this - > filter('client_id', 'str');
$client = $this - > em() - > find(OAuthClient::class, $clientId);
$allowedScopes = $client - > allowed_scopes;
$input = $this - > getOAuthRequestInput($client);
if ($input['scope']) {
    $requestedScopes = explode(' ', $input['scope']);
    $requestedScopes = array_flip($requestedScopes);
    foreach($requestedScopes as $scope => $value) {
        if (!in_array($scope, $allowedScopes)) {
            return $this - > error(\XF::phrase('please_enter_valid_api_scope_id'), 403);
        }
    }

}